Jump to content


Photo

rxbot browser hijack


  • This topic is locked This topic is locked
4 replies to this topic

#1 txmot

txmot

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 01:39 PM

Everytime I go on the net it takes me to some site that starts with rxbot. Even after closing all programs my computer constantly sends/receives information while I'm on the net. The following are the hijack this results. Any help on this is appreciated.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\lsac.exe
C:\WINDOWS\System32\aqyjnzxc.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\internet optimizer\sim\msbb.exe
C:\Program Files\Save\Save.exe
C:\Program Files\WhenUSearch\Search.exe
C:\WINDOWS\System32\systemnt.exe
C:\WINDOWS\System32\dosprmwin.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory
2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.websearch...e.aspx?tb_id=40
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.websearch...e.aspx?tb_id=40
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
"C:\Program Files\Outlook Express\msimn.exe"
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.websearch...e.aspx?tb_id=40
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972}
- C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} -
C:\WINDOWS\nem219.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} -
C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no
file)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} -
C:\PROGRA~1\COMMON~1\WinTools\btiein.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} -
C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} -
C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -
C:\WINDOWS\wsem218.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -
C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} -
c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} -
C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} -
C:\WINDOWS\nem218.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no
file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC}
- C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital
Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program
Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common
files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [357C33D6] C:\WINDOWS\System32\bjrxyolliwttnw.exe
O4 - HKLM\..\Run: [Microsoft Update] lsac.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe
"C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [wprczbzssu] C:\WINDOWS\System32\aqyjnzxc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet
Optimizer\optimize.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [msbb] c:\program files\internet
optimizer\sim\msbb.exe
O4 - HKLM\..\Run: [rcx] C:\WINDOWS\rcx.exe
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program
Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] systemnt.exe
O4 - HKLM\..\Run: [Micro Process] dosprmwin.exe
O4 - HKLM\..\Run: [Cryptographic Service]
C:\WINDOWS\System32\jyufao.exe
O4 - HKLM\..\RunServices: [5B26CE1C]
C:\WINDOWS\System32\bjrxyolliwttnw.exe
O4 - HKLM\..\RunServices: [Microsoft Update] lsac.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemnt.exe
O4 - HKLM\..\RunServices: [Micro Process] dosprmwin.exe
O4 - HKCU\..\Run: [Micro Process] dosprmwin.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemnt.exe
O4 - HKCU\..\Run: [Microsoft Update] lsac.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: Organize.lnk = ?
O4 - Startup: spamsubtract.lnk = C:\Program
Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq
Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'spsublsp.dll'
missing
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} -
http://dst.trafficsy...l/T_40/QDow.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -
http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -
http://www.mt-downlo...tsInstaller.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{4C56EB8C-8888-44C9-89C7-6FA1220B6DEE}: NameServer = 209.102.124.11 209.102.124.10

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 29 June 2004 - 02:21 PM

Hi,
Uninstall via Add Remove: (if exists)
WhenUSearch
Bargain Buddy
Internet Optimizer
WinTools
Twain-Tech

You have way too many issues to use just HijackThis ...

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button. Under "Log-file detail", select all options.

Click the "Tweaks" button. Under "Scanning Engine", select the following:
1) "Include additional Ad-aware settings in logfile"
2) "Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on Proceed to save these Preferences.
Note: make sure that you activate IN-DEPTH scanning before you proceed.

Download Lavasoft's VX2 Cleaner plug-in here:
http://www.lavasofts...showtopic=33729

After the above ...

Download > HijackThis 1.98
Create a folder via Windows Explorer for HijackThis, unzip, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

After the above rescan with the updated HijackThis and post a fresh log ...
Note: post a complete log including the top section, your's is missing now.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 txmot

txmot

    Member

  • New Member
  • Pip
  • 2 posts

Posted 23 July 2004 - 01:42 PM

The ad-aware and configuration took care of everything.
THANKS!

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 23 July 2004 - 06:24 PM

Hi,
You're welcome ... glad to see you were able to resolve your problem. :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 01 October 2004 - 04:05 AM

Glad to see you were able to resolve your problem.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button